[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
PSEUDO-CLASSIFICATION OF EXECUTIVE BRANCH DOCUMENTS: PROBLEMS WITH THE
TRANSPORTATION SECURITY ADMINISTRATION'S USE OF THE SENSITIVE SECURITY
INFORMATION DESIGNATION
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT OPERATIONS
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
SECOND SESSION
__________
MAY 29, 2014
__________
Serial No. 113-121
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
U.S. GOVERNMENT PRINTING OFFICE
88-973 WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of
JIM JORDAN, Ohio Columbia
JASON CHAFFETZ, Utah JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee MATTHEW A. CARTWRIGHT,
TREY GOWDY, South Carolina Pennsylvania
BLAKE FARENTHOLD, Texas TAMMY DUCKWORTH, Illinois
DOC HASTINGS, Washington ROBIN L. KELLY, Illinois
CYNTHIA M. LUMMIS, Wyoming DANNY K. DAVIS, Illinois
ROB WOODALL, Georgia PETER WELCH, Vermont
THOMAS MASSIE, Kentucky TONY CARDENAS, California
DOUG COLLINS, Georgia STEVEN A. HORSFORD, Nevada
MARK MEADOWS, North Carolina MICHELLE LUJAN GRISHAM, New Mexico
KERRY L. BENTIVOLIO, Michigan Vacancy
RON DeSANTIS, Florida
Lawrence J. Brady, Staff Director
John D. Cuaderes, Deputy Staff Director
Stephen Castor, General Counsel
Linda A. Good, Chief Clerk
David Rapallo, Minority Staff Director
Subcommittee on Government Operations
JOHN L. MICA, Florida, Chairman
TIM WALBERG, Michigan GERALD E. CONNOLLY, Virginia
MICHAEL R. TURNER, Ohio Ranking Minority Member
JUSTIN AMASH, Michigan JIM COOPER, Tennessee
THOMAS MASSIE, Kentucky MARK POCAN, Wisconsin
MARK MEADOWS, North Carolina
C O N T E N T S
----------
Page
Hearing held on May 29, 2014..................................... 1
WITNESSES
Ms. Annmarie Lontz, Division Director, Office of Security
Services and Assessments, Transportation Security
Administration
Oral Statement............................................... 5
Mr. John Fitzpatrick, Director, Information Security Oversight
Office, National Archives and Records Administration
Oral Statement............................................... 7
Written Statement............................................ 9
Ms. Patrice McDermott, Executive Director Openthegovernment.org
Coalition
Oral Statement............................................... 16
Written Statement............................................ 19
APPENDIX
Joint Staff Report Prepared for Chairman Issa and Rep. Cummings.. 40
Questions for the Record for Annmarie Lontz, TSA................. 69
PSEUDO-CLASSIFICATION OF EXECUTIVE BRANCH DOCUMENTS: PROBLEMS WITH THE
TRANSPORTATION SECURITY ADMINISTRATION'S USE OF THE SENSITIVE SECURITY
INFORMATION DESIGNATION
----------
Thursday, May 29, 2014,
House of Representatives,
Subcommittee on Government Operations,
Committee on Oversight and Government Reform,
Washington, D.C.
The subcommittee met, pursuant to call, at 10:00 a.m., in
Room 2154, Rayburn House Office Building, Hon. John Mica
[chairman of the subcommittee] presiding.
Present: Representatives Mica, Meadows, Amash, Issa, and
Connolly.
Staff Present: Molly Boyl, Majority Deputy General Counsel
and Parliamentarian; Ashley H. Callen, Majority Deputy Chief
Counsel for Investigations; Sharon Casey, Majority Senior
Assistant Clerk; Kate Dunbar, Majority Professional Staff
Member; Adam P. Fromm, Majority Director of Member Services and
Committee Operations; Linda Good, Majority Chief Clerk; Ashok
M. Pinto, Majority Chief Counsel, Investigations; Andrew
Rezendes, Majority Counsel; Jaron Bourke, Minority Director of
Administration; Krista Boyd, Minority Deputy Director of
Legislation/Counsel; Aryele Bradford, Minority Press Secretary;
Cecelia Thomas, Minority Counsel; and Michael Wilkins, Minority
Staff Assistant.
Mr. Mica. Good morning. I would like to welcome everyone to
the Subcommittee on Government Operations hearing this morning.
This morning's hearing will cover the subject and the title of
the hearing, in fact, is Pseudo-Classification of Executive
Branch Documents: Problems with the Transportation Security
Administration's Use of Sensitive Security Information
Designation. That is the title and subject of our hearing
today.
The order of business will be first we will hear from
members with opening statements.
Mr. Connolly, the ranking Democrat member, is delayed. I
have asked one of the representatives of the minority side
staff to sit in until he is able to join us. He has a markup,
but we do want to proceed with the hearing. We have a long
legislative day today and we want to conclude and also, of
course, proceed with this hearing in an orderly fashion. So the
order of business will be opening statements. We will recognize
Mr. Connolly when he is able to join us, but we are going to
proceed with the hearing.
After that, we have three witnesses this morning. I will
identify them, they will be sworn in, and we will proceed with
their testimony.
And from that point, after we hear from all three
witnesses, we will go to questions.
With that, I will begin with my opening statement.
Again, I thank everyone for joining us today. One of the
things, Mr. Issa, chairman of the full committee, always states
is the purpose of our Oversight and Reform Committee is to be
good stewards of the trust the American people have given the
responsibility of Congress with, and that is to make certain
that programs work efficiently, economically, and also in
concert with the intent of Congress.
We are stewards of that important trust and it is important
that a committee such as ours, which dates back to the early
1800s, when the founding fathers wanted to make certain that
not only programs that were created worked as intended, but
also that, when they were funded, they were responsibly funded
and there was accountability and responsibility. So that is the
purpose of our committee and this subcommittee's charge, and we
take that responsibility to protect the rights and also the
trust of the American people in making certain that the Federal
bureaucracy, those responsible, operate in an accountable
manner.
So, with that, let me start with my opening statement.
We are actually going to hear the culmination of a
committee's investigation over the past year and a half into
problems with the TSA's use of sensitive security information
designation. The report that has been prepared by the inspector
general unfortunately confirms the fact that TSA gamed the
system to use a security classification or those
classifications to keep Congress and the public from having
access to key information in order to protect their own turf.
That is what I believe the report shows. I also believe the TSA
must end its arbitrary use of sensitive security information
designation and use of it improperly, and ensure the security
and accountability the public becomes its primary concern.
So today we are going to examine the misuse of the
designation. We will explore the improvements TSA has made,
some of the report covers some earlier years. We will look at
that. And we will also see what the agency has done to educate
staff since the committee's investigation began and address the
labeling of non-classified information beyond TSA throughout
the Federal Government, because we found some similar abuses in
other agencies.
Pursuant to the Air Transportation Security Act of 1974,
the Federal Aviation Administration created a category of
security classification and it is entitled Sensitive Security
Information, or SSI, as it is commonly called, a category of
sensitive but, in fact, unclassified information.
It is important to note that we are not talking about
classified information today. We are not going to discuss
classified information. Rather, the subject of this hearing is
the realm of unclassified information in this particular
designation, SSI. The SSI designation is a pseudo-
classification and is not afforded the same protection as other
classified information, such as top secret or secret. The SSI
regulation restricts the disclosure of information designated
as SSI because public disclosure would be detrimental to, in
this case, transportation security.
When used properly, the SSI designation protects sensitive
information from public disclosure, which could in some cases
be detrimental to certain security interests. Because SSI is an
internal TSA, and again we term it pseudo-classification;
however, there is potential for misuse of the designation and,
unfortunately, we have seen that to be the case.
Bipartisan concerns about TSA's use or misuse of the SSI
designation have existed since the promulgation of the
regulation in 2004. Following a congressional request to review
how TSA used its SSI authority to withhold information from the
public, GAO released a report in 2005 finding that TSA lacked
adequate internal controls to provide reasonable assurance that
the agency is applying the SSI designation consistently.
In July of 2011, DHS Deputy Secretary Counsel Joseph Mayer
alleged that subcommittee of this full committee, the chairman,
Jason Chaffetz, had unlawfully released portions of a DHS
PowerPoint presentation designated as SSI, and that alleged
offense, according to, again, DHS, took place during a National
Security Homeland Defense and Foreign Operations Subcommittee
hearing, and that is one of the subcommittees I am privileged
to serve on with Mr. Chaffetz.
Chairman Issa responded to the allegations to then
Secretary Napolitano, explaining that Congress is not covered
by the regulation governing SSI protection. Such a lack of
understanding or disregard of the SSI designation at the
highest levels of DHS was concerning.
The subsequent exchange between the committee and DHS
prompted a whistleblower at TSA to contact the committee with
information regarding the misuse of the SSI designation by
political staff at TSA. Our committee, perhaps more than any
other, relies on whistleblowers that come forward from the
Federal Government departments and agencies, and they often
give us tips and information in identifying waste, fraud, and
abuse.
As a result of that whistleblowing information, the
committee conducted and transcribed interviews with current and
former TSA SSI office staff and we obtained hundreds of pages
of documents responsive to formal document requests made to
TSA.
I am pleased today to announce that Chairman Issa and
Ranking Member Cummings are releasing a joint staff report that
contains our investigation findings and recommendations. We
look forward to making this report a full committee report and
we will have it under consideration, I am told, at the next
full committee business meeting.
I would like to ask unanimous consent to enter a joint
staff report into the record at this time. Without objection,
so ordered.
Mr. Mica. The witness testimony and documents show that TSA
officials manipulated SSI designations to prevent the release
of non-SSI documents. This was first against the advice of
TSA's SSI office, whose mission is to evaluate information and
determine whether it qualifies in the very beginning as SSI and
for that designation. TSA also released SSI documents against
the advice of career staff at the SSI office.
While the TSA administrator has the final authority to
determine whether information is classified as SSI under the
regulation, the administrator must submit written explanations
of the SSI decision to the SSI office in a timely fashion.
Unfortunately, repeated failures by TSA officials to submit
written determinations supporting the release or withholding of
SSI caused a rift between senior TSA leadership and the SSI
office. This rift resulted in the inconsistent application of
the SSI designation. Such consistency, unfortunately, is also
shown to be detrimental to the process of protecting sensitive
transportation security information.
As a result of the committee's investigation, TSA has made
some changes and improvements to its processes for the handling
of this SSI information. We look forward to hearing from the
witnesses today to hear more about the progress that has been
made and improvements by the agency.
TSA's handling of SSI, again, information and use of that
designation reveals a broader problem, again, of pseudo-
classification of information across Federal departments and
agencies, so we found in looking at TSA, unfortunately we found
also extends beyond the borders of that agency, and there are
broad concerns that agencies, other agencies are using pseudo-
classification designations to make it difficult for requesters
such as Congress and others to acquire unclassified
information.
This raises the possibility that officials may use such
information labeling to control the release of non-classified
information for political reasons or purposes, again, some
serious concerns, and again keeping both the Congress and the
public from obtaining information of sort of covering their
turf base or improperly using that designation.
Limits on pseudo-classifications are needed, in fact, we
think to provide greater transparency and accountability to the
public while promoting information security. We have to do
both. The committee plans to examine this issue in greater
detail and I look forward to future hearings on our findings.
I am grateful for the witnesses who are appearing today and
others who have cooperated with the committee. This has been a
fully bipartisan effort and investigation, and the product that
they have produced that will be made part of the record and
accepted by the full committee is again a work developed by
both sides of the aisle. So I look forward to hearing testimony
today and at this time prepared to hear opening statements or
comments from other members. Mr. Meadows?
Mr. Meadows. I will be very brief. Thank you, Mr. Chairman,
for calling this hearing and for this bipartisan effort to
address this issue.
Truly, from the witnesses, what I would look for is how we
can improve the process. I think the American people deserve
transparency, and any time that that doesn't happen, whether it
is intentional or not, it gives a level of distrust, and right
now we need to build back that trust in terms of our
Government. There are hundreds of thousands of great Federal
workers, and for each occasion where something like this gets
classified in a wrong setting or the impression is that we are
hiding information, it undermines their credibility.
The American people can handle the truth; we just need to
make sure that we give them the truth and that we are not doing
that. So at this point I just look forward to your testimony. I
thank each one of you for being here, and I thank the chairman
for his leadership on this particular effort.
I yield back.
Mr. Mica. Thank you, Mr. Meadows.
Members may have seven days to submit opening statements
for the record.
When Mr. Connolly returns, he will have adequate time to
present an opening statement or participate fully in the
hearing, and we will, as I said, proceed because we do need to
keep up with the agenda today, a full legislative schedule.
I will now recognize the first panel that we have.
We have Ms. Annmarie Lontz. She is the Division Director of
the Office of Security Services and Assessments at the
Transportation Security Administration.
We have Mr. John Fitzpatrick. He is the Director of
Information Security Oversight Office at the National Archives
and Records Administration.
And we have Ms. Patrice McDermott, and she is the Executive
Director of the Openthegovernment.org Coalition.
So I would like to first welcome all of our witnesses. I
don't know if you have been before our committee before or
testified in Congress. What we normally do is we ask you to try
to limit your remarks to approximately five minutes. We don't
have a big panel or hearing today, so we will be a little bit
lenient with that. But if you have additional documents or
information or extended testimony you want to be made part of
the record, just a request to the chair and we will make
certain it appears in the record.
We are also an investigative and oversight committee of
Congress, so, therefore, we swear in our witnesses. So if you
would stand at this time and be sworn. Raise your right hands.
Do you solemnly swear or affirm that the testimony you are
about to give before this subcommittee of Congress is the whole
truth and nothing but the truth?
[Witnesses respond in the affirmative.]
Mr. Mica. All of the witnesses, the record will reflect,
answered in the affirmative, so we will proceed with our first
panel.
Let me first recognize and welcome Annmarie Lontz. Again,
she is the Division Director of the Office of Security Services
and Assessments at TSA.
Welcome, and you are recognized.
WITNESS STATEMENTS
STATEMENT OF ANNMARIE LONTZ
Ms. Lontz. Chairman Mica, Ranking Member Connolly, and
members of the subcommittee, thank you for the opportunity to
testify today regarding sensitive security information, or SSI,
and the improvements made by the Transportation Security
Administration regarding training, designation, and handling.
As the Division Director for the Security Services and
Assessments Division for nearly one year, one of my
responsibilities is overseeing the SSI program office, whose
charged with the management, consistent application,
identification, safeguarding, and redaction of SSI. The SSI
program office is staffed by career professionals with
significant experience and a comprehensive understanding of SSI
and its role in transportation security.
SSI is one of the few types of sensitive, but unclassified,
information defined by statute. Congress authorized the Federal
Aviation Administration to designate SSI in the 1970s and the
FAA promulgated regulations to implement that congressional
mandate. When TSA was created, Congress also authorized TSA to
designate information as SSI, and TSA regulations to promulgate
this mandate are found in 49 CFR Part 1520.
The SSI designation was designed as a tool to protect
information obtained or developed in the conduct of security
activities, recognizing the potential need to share this
information with non-governmental entities, including airlines
and other stakeholders.
When it provideD TSA with SSI designation authority,
Congress also empowered the administrator of TSA to make final
determinations on the disclosure of SSI. TSA's management
directive and associate guidance, which governs the SSI
program, provides considerations for ensuring that SSI is
treated in a manner consistent with the regulation. This
directive requires the release of as much information as
possible without compromising transportation security, while
taking into consideration the information's operational use to
adversaries, the level of detail, the public availability of
the information, and the age of the record. The goal is to
redact as little information as possible to protect SSI.
The SSI program continually evaluates program requirements
and areas for potential improvement. TSA has undertaken
significant enhancements to the program's policies, training,
and management of SSI, including updating the SSI training and
making it mandatory for all TSA employees and contractors on an
annual basis, refining the redaction process, developing a
comprehensive policies and procedures handbook to eliminate
gaps in previous guidance, defining specific roles and
responsibilities, improving reference guides for DHS employees
and contractors, leveraging available technology to improve
operations and engage personnel, and standardizing the process
through which the administrator may revoke the SSI designation.
Training is an integral part of program and process
improvements made by TSA with regard to SSI. The SSI program
office has implemented an extensive SSI continuing education
training program; conducted targeted SSI advanced training and
awareness activities for key TSA stakeholders, DHS components,
and other Federal agencies; solidified our internal processes;
and recruited and trained SSI coordinators throughout TSA.
TSA supports the efforts made by Mr. Fitzpatrick and the
National Archives with regard to controlled, unclassified
information and has been an active participant in the
development and preparation for implementation of CUI. While
there is always room for improvement, I believe that TSA has in
place a robust and mature SSI program for the safeguarding of
sensitive, but unclassified information and, as a result, SSI
identification and safeguarding practices are unlikely to
change upon the implementation of CUI.
TSA understands the importance of the SSI designation and
recognizes the value of transparency and the need for the
public to have access to as much information as possible. We
will continue to seek out opportunities to further improve how
SSI is identified, managed, redacted, and safeguarded, and work
with Mr. Fitzpatrick's office to fulfill the intent of the
President's Executive Order regarding controlled and classified
information.
I look forward to answering any additional questions that
you may have. Thank you.
Mr. Mica. Thank you.
We will now turn to Mr. Fitzpatrick and welcome him and
recognize him. Thank you.
STATEMENT OF JOHN FITZPATRICK
Mr. Fitzpatrick. Thank you, Chairman Mica. Thank you for
inviting me to testify before you today. I am John Fitzpatrick,
the Director of the Information Security Oversight Office,
which we call ISOO, at the National Archives and Records
Administration.
My office is responsible to the President for policy and
oversight of the government-wide security classification
system, its companions for industry and for non-Federal
partners, and for the controlled unclassified information
program. At ISOO, we lead efforts to standardize and assess the
management of classified and controlled unclassified
information through oversight of department and agency policy
and practice.
I will focus today on the controlled unclassified
information, or CUI, program, its policy objectives and current
state of development.
Executive Order 13556 establishes a uniform system to
manage the Executive Branch's sensitive unclassified
information that requires safeguarding and/or dissemination
controls pursuant to Federal law regulation or government-wide
policy. The Executive Order designated the National Archives
and Records Administration as the executive agent for the
program, and the Archivist of the United States subsequently
tasked ISOO with this mission.
Among the program's policy objectives is the promotion of
openness and transparency. The CUI program will replace the
current confusing and inefficient patchwork of agency-specific
practices with a single open and uniform system of policies,
procedures, and markings. This new framework is intended to
both enhance interagency trust and remove impediments to
authorized information sharing through increased clarity of
guidance and consistency of practices.
ISOO maintains a publicly available registry of all
categories and subcategories of information that meet the
Executive Order's standard for protection, providing links to
the text of authorizing laws, regulations, and government-wide
policies. There are currently 22 categories and 85
subcategories of such information, ranging from sensitive
nuclear and critical infrastructure information to personal
privacy and business proprietary data, as well as a host of
other information types. Sensitive security information, or
SSI, is one such subcategory. It is properly authorized as CUI
according to the terms of the Executive Order.
The CUI registry also contains all policies and guidance
related to CUI. This serves to enhance openness and
transparency by making the Government basis for establishing
information controls available for all to see. These policies
and procedures are being developed in consultation with
affected departments and agencies. We also actively seek
feedback from State, local, tribal, private sector, as well as
public interest groups. Just this month we began the formal
Federal regulatory process and will follow that process through
agency and public comment to produce a final Federal rule.
The relationship between the CUI program and the Freedom of
Information Act, or FOIA, also serves the goals of openness and
transparency. Executive Order 13556 draws a bright line between
the two, stating that the mere fact that information is
designated as CUI shall not have a bearing on determinations
pursuant to any law requiring the disclosure of information or
permitting disclosure as a matter of discretion.
In short, CUI markings and status should not serve as a
basis to improperly withhold information from the public,
including under the FOIA. This point has been clarified in
guidance we have issued in tandem with the Department of
Justice's Office of Information Policy, and we have educated
agencies on this subject. To further minimize unnecessary
control, the Executive Order requires that if there is
significant doubt about whether information meets the standard
for CUI, it shall not be designated as such.
The CUI program also seeks strong accountability and
oversight. Executive departments and agencies have appointed
senior agency officials and program managers responsible for
program implementation within each agency. These officials are
responsible for drafting agency implementing policies, training
their employees on program requirements, and establishing a
robust self-inspection program to ensure ongoing compliance.
Our office will oversee these agency actions by reviewing
agency policies, conducting onsite inspections, and requiring
agencies to periodically report on the program status.
We have begun, and will continue, to incorporate CUI
program progress with ISOO's other reports, which are made
public. Taken together, these requirements will help ensure the
program is properly and successfully implemented.
In conclusion, ISOO has established a reputation in
government for effective oversight and sustainment of
constructive relationships with our agency partners. We are
well on our way to establishing a stable and robust CUI program
for government.
Thank you very much for your time and attention, and I will
be happy to answer your questions.
[Prepared statement of Mr. Fitzpatrick follows:]
[GRAPHIC] [TIFF OMITTED]
Mr. Mica. Thank you for your testimony, Mr. Fitzpatrick.
We will now turn to Ms. McDermott. She is the Director of
Openthegovernment.org Coalition. Welcome, and you are
recognized.
STATEMENT OF PATRICE MCDERMOTT
Ms. McDermott. Thank you very much and thank you, Chairman
Mica and Vice Chair Meadows, for the opportunity to speak today
on the continued use of sensitive but unclassified markings in
the Executive Branch, three and one-half years after the
issuance of President Obama's Executive Order.
My name, as you said, is Patrice McDermott, and I am the
Executive Director of Openthegovernment.org, a coalition of
nearly 90 organizations dedicated to openness and
accountability. My remarks here today do not necessarily
represent the positions of all of our partner organizations.
Let me start with a little history on the issue of the use
of sensitive but unclassified markings in the Executive Branch.
In May 2008, President Bush issued a presidential
memorandum with a stated intent to standardize control markings
and handling procedures across the information sharing
environment, a term codified in the Intelligence Reform and
Terrorism Prevention Act of 2004, to indicate the intelligence,
law enforcement, defense, homeland security, and foreign
affairs communities. The CUI Council called for in the
memorandum was a subcommittee of the Information Sharing
Council within the Office of the Director of National
Intelligence and, therefore, entirely outside any public access
or accountability.
That memorandum did nothing to rein in the use of what were
called sensitive but unclassified markings. In fact, the memo
allowed agencies to continue to make control determinations as
a matter of department policy, meaning that the public was
given no notice or chance to comment on the proposal.
Under President Bush's proposed framework, control
designations could easily have been treated as simply another
level of classification, reducing the public's access to
critical information.
On November 3rd, 2010, President Obama issued the Executive
Order on controlled unclassified information, 13556. The order
limits control markings to those, as Mr. Fitzpatrick noted,
based on government-wide policy, as well as statute or
regulation. This is an enormous victory for openness. This
limitation will, when fully enacted, both significantly limit
the number and end the spiraling proliferation of agency policy
markings, most particularly for official use only.
Organizations working on government openness and
accountability and on whistleblower protections welcome the
release of the Executive Order, which rescinded the Bush
Administration memorandum and which requires standardizing and
limiting the use of control markings on unclassified
information. The openness community applauded the Obama
Administration for making this an open government document,
when it could easily have become quite the opposite.
Earlier drafts of the Obama order would have allowed
agencies to continue using the designations that were not based
in either statute or regulation. Previous drafts would have
created a system of sanctions which the openness community was
concerned would impede needed sharing and could lead to
repercussions outside current law for whistleblowers. The new
order has none of this language, reflecting its role as a
government-wide information policy.
A key aspect of the order is that it makes clear, as Mr.
Fitzpatrick noted, that a CUI marking has no bearing on the
decision to disclose information under the Freedom of
Information Act or on the disclosure to the legislative or
judicial branches of the U.S. Government. Finally, the order
involved the public in consultation on the implementation of
the new framework.
It was significant that the process in the Obama
Administration began in a manner not dissimilar to that under
the Bush Administration. While we did have opportunities to
meet with government officials involved in the work on CUI and
there were officials involved who were deeply committed to
government transparency, the early discussions and drafts were
led by the National Security staff and based on a report from a
task force led by the attorney general and the secretary of
Homeland Security. They came to this with an approach quite
similar to that of the Bush Administration, that this was about
controlling dissemination of and access to sensitive but
unclassified information to those with a recognized need to
know.
We had numerous meetings and were able to review drafts in
the meetings, and we provided extensive comments. Finally, we
were presented with what government officials considered the
final draft and we were asked for our headline. We responded
that the headline of the openness and whistleblower communities
would be Obama Creates Fourth Level of Classification.
Apparently, this derailed the train that had been moving down
the track. At some point in this time frame, OMB also became
involved in the process. The draft that came out next took what
essentially had been a National Security-driven effort and
turned it into what it properly was, a government-wide
information management policy.
So the agency policy markings are to be ended. The question
for us is when. Regrettably, here is where the rub comes in.
The CUI staff worked extraordinarily hard, with very limited
resources, to create the registry of approved CUI categories
and subcategories that was released in November 2011. It is
accompanied, however, with a ``reminder from the executive
agent'' which says existing practices for sensitive
unclassified information remain in effect until the CUI marking
implementation deadline TBD, to be determined.
Again I want to stipulate that the CUI staff housed that
ISOO have been very open. They have initiated meetings with our
communities and have been willing to meet with us at our
request. They have taken our concerns and our comments on
various implementation drafts very seriously and have made
changes along the way.
Our concern is that the process is, from our perspective,
at least, a long way behind schedule. We suspect this is due to
the intransigence and resistance from some agencies, and the
adjudication the CUI staff had to do with them. The executive
agent expect the CFR, which is now at OIRA and about to go out
for agency comment, to become effective in April 2015. That
begins an extended progress, in six month segments, of agencies
only then beginning to develop the budget, IT, and training
toward a requirement of which they will have been aware for
almost five years.
Agencies will not begin to implement CUI practices or to
phase out obsolete practices until April 2016, and not until
2017 and beyond, into the next decade, will agencies finally
begin to eliminate old markings and assure use of only new
markings that are on the registry. The executive agency
indicates an expectation that this process will extend into
2018, 2019, and beyond, well beyond the end of the current
Administration.
What does this mean in practice? The President was clear
that the mere fact that information is designated as CUI shall
have no bearing on determinations pursuant to any law requiring
disclosure of information or permitting disclosure as a matter
of discretion. Agencies, however, continue to use not CUI
registry markings, but the existing practices, especially FOUO.
I will stop here, as I am well over time, but I do have
some examples, if I have time in the questioning.
Mr. Mica. If you would like, we will grant you an
additional minute or two.
Ms. McDermott. Okay, good. Thank you.
So, as an example, the Project on Government Oversight
recently reported on a DOD IG report that the Pentagon labeled
FOUO. It says in such cases, the DOD IG will only post the
report's title or summary on its website. The complete report
must be requested through FOIA. POGO was fortunate enough to
have obtained the contract overbilling report through non-FOIA
means, but they are still waiting on requests for two other DOD
IG reports. Both of these reports are unfavorable assessments
of other Defense contracting programs.
And just this morning there is a story in The Guardian by
Jason Leopold that quotes from internal NSA emails about both
journalist and citizen requests under FOIA. They dismiss the
citizen requests pretty summarily and note that journalists are
a little harder to get rid of. And one of the officials is
quoted as saying the classified and FOUO we can deny; the rest
we may have to process.
Well, according to the Executive Order, they are not
allowed to deny, to withhold stuff just because it is marked
FOUO. But it is apparently a continuing attitude throughout the
Government, and we are as frustrated as you are and very
concerned that this attitude will continue for many years to
come.
Thank you for the opportunity to speak to you on this
important issue. I am happy to answer any questions you might
have.
[Prepared statement of Ms. McDermott follows:]
[GRAPHIC] [TIFF OMITTED] T8973.008
[GRAPHIC] [TIFF OMITTED] T8973.009
[GRAPHIC] [TIFF OMITTED] T8973.010
[GRAPHIC] [TIFF OMITTED] T8973.011
Mr. Mica. Well, thank you.
We will withhold questions for a minute. We have been
joined by our ranking member, Mr. Connolly, and I would like to
recognize him at this time.
Mr. Connolly. Thank you, Mr. Chairman. Again, my regrets
for being late. I had a markup at the House Foreign Affairs
Committee on a North Korea sanctions bill I am coauthor of, and
I had to be there for my own bill. So forgive me for being
tardy in coming to this hearing.
Thank you all for participating and thanks, Mr. Chairman,
for holding this hearing examining the categories of controlled
unclassified information, CUI, particularly the Transportation
Security Administration's designation of sensitive security
information, SSI.
Pseudo-classification designations are often vague and
involve undefined markings that prevent interagency sharing or
delay public access to information, as Ms. McDermott was just
telling us. The Executive Branch's use of pseudo-classification
designations is a longstanding national security challenge, and
it certainly encompasses many administrations of both parties
and transcends partisan division.
The 9/11 Commission observed, in its final report
officially on the September 11, 2001 terrorist attacks, that
excessive barriers to information sharing among Federal
agencies and between Federal agencies and local law authority
agencies actually contributed to the confusion, if not to the
actual successful prevention of the tragedy. That is pretty
strong stuff. Simply put, the Government agencies keep too many
secrets from other Government agencies and the public, and that
is both bad for public safety and, in my view, can compromise
national security unintentionally.
Our committee has been concerned with the effects of
pseudo-classification for many years. This committee requested
that the GAO study the matter and, in 2006, during the Bush
Administration, GAO reported that the problems posed by
excessive and inappropriate use of CUI remain pervasive,
pervasive, across the Federal Government.
Our committee's concern, Mr. Chairman, about the TSA's
utilization of SSI designations dates back to 2008, six years
ago, when former Chairman Waxman and Ranking Member Tom Davis,
my predecessor, initiated a bipartisan inquiry questioning
TSA's release of SSI to CNN for use in a news story, when the
agency had asked GAO not to publicly disclose the same type of
information, seemingly a contradiction in policy.
Further, conflict over the proper handling of SSI continued
in 2011, when the U.S. Department of Homeland Security
expressed serious concern over the disclosure of SSI by a
member of this committee, the Oversight Committee, at a public
hearing.
As recently as 2012, the Controlled Unclassified
Information Office within the National Archives and Records
Administration found: ``Historically, executive departments and
agencies have employed ad hoc agency-specific policies,
procedures and markings to safeguard and control the
dissemination of sensitive but unclassified information.'' ``As
a result,'' it found, ``more than 100 different policies and
markings have evolved for handling such information across the
Executive Branch.'' It goes on: ``This inefficient confusing
patchwork system has resulted in inconsistent markings and
safeguarding of documents, led to unclear or unnecessarily
restrictive dissemination policies, and created impediments to
authorized information sharing.''
Fortunately, the Obama Administration has taken steps to
try to get CUI policies under control. I was pleased that
President Obama issued the November 4th, 2010 Executive Order
13556 on CUI that mandated that NARA establish categories and
subcategories to serve as the exclusive designations for
identifying unclassified information that requires safeguarding
or dissemination controls pursuant to statute, regulations, or
government-wide policy.
In April 2012, TSA Administrator John Pistole issued a new
SSI handbook applicable to all TSA personnel that established
standard operating procedures for handling SSI and consolidated
and clarified SSI policy guidance. These new policies include
standardizing policies for the revocation of SSI, creating a
system for reporting breaches, and improving employee training
on how to handle SSI.
In closing, Mr. Chairman, it is my hope that the
stakeholders gathered here today will recognize we all have a
shared goal with respect to increasing transparency and
strengthening aviation security, and that balancing these
interests need not be a zero sum proposition, it is either
transparency or it is keep it close to the vest and nobody
knows what anyone else is doing.
I want to thank our witnesses for participating in this
morning's hearing and, Mr. Chairman, I look forward to
examining, together with you, how we can better ensure CUI is
effectively, consistently, and appropriately managed across the
entire Federal Government.
Thank you. I yield back.
Mr. Mica. Thank you, Mr. Connolly.
We will go right to questions. I want to lead off on some
of the points that the ranking member articulated. First of
all, he cited the Executive Order 13556 which President Obama
issued, and I think you spoke about it too, Ms. McDermott, and
had some good intent, but it has had no bearing on decisions to
disclose information pursuant to FOIA or disclosures to
judicial or legislative bodies such as this committee. Despite
this, Ms. McDermott, are you currently observing Federal
agencies that use existing practices to thwart release of
unclassified information?
Ms. McDermott. As I mentioned--yes?
Mr. Mica. I am just asking you to confirm again what you
said.
Ms. McDermott. Oh. Yes.
Mr. Mica. Mr. Connolly brought this up, but you are seeing
that.
Ms. McDermott. But I would also note that----
Mr. Mica. And how prevalent is the practice today?
Ms. McDermott. Okay. I don't know that it is all that
prevalent. We do know examples, but you usually only hear when
there is a problem. I mean, you can't disprove a negative, but
if agencies aren't doing it, there is no way to know.
Mr. Mica. And you cited some problems. What agencies is
this prevalent or have you seen?
Ms. McDermott. The Department of Defense Inspector
General's Office and the FOIA folks at NSA.
Mr. Mica. Okay. Is there anything more that can be done? We
have an Executive Order. What do you think? Now, TSA, we will
get to them in a minute; they have issued a handbook. But what
do you see government-wide?
Ms. McDermott. Well, I think government-wide the process
has been moving forward in terms of the work that the executive
agent, the CUI Office, has been doing. I think, from our
perspective, the problem is that somewhere along the line time
has been lost and we feel that the process is taking longer
than we anticipated and that I think probably the President
anticipated.
Since the issuance of the Executive Order, we are already
now four years out, and the rule is just going out for comment.
We had seen earlier versions in 2011 and then not again until
2013, and then again this year. So the process, our sense is
that it is being slowed by at least some agencies who--again,
this is my perspective and my community's--who don't want to
see this because it will control their ability to use these
markings as they see fit. But I think it is our sense from
talking to CUI staff that there are a lot of agencies also that
are fully onboard, ready to go, and who will move forward
quickly.
Mr. Mica. Well, that is a perfect sequence to ask Ms. Lontz
why did it take four years for TSA, after the management
directive, to roll out the handbook? Now, Mr. Connolly also
spoke of successive TSA and finally getting a handbook, but it
took four years and you just testified that they have been
slow-rolling this, Ms. McDermott. So what is happening that
took four years to do this in TSA?
Ms. Lontz. Mr. Chairman, so the joint decision to move the
SSI program into the Office of Law Enforcement and Federal Air
Marshal Service from the Office of Intelligence, that occurred
in December of 2010, and Mr. Pistole did sign our TSA
management directive in April of 2012.
Mr. Mica. The structural placement was also almost four
years ago, but it has still taken almost four years to get,
again, the handbook on SSI.
Ms. Lontz. So the handbook is a comprehensive resource of
74 pages, and it is a guide to all employees.
Mr. Mica. So they did about 20 pages a year.
Ms. Lontz. We do annual training on SSI to all employees at
TSA.
Mr. Mica. The handbook was just issued, so has that just
begun?
Ms. Lontz. So the annual training occurs and also began in
2012, so each employee at TSA has received it now at least
twice. So the program office itself has a standard operating
procedure that is a 40-page document that they use daily in the
practice of reviewing documents, and we also have standardized
the way that requests are made so that it is documented
appropriately, and we also have incident reporting tools for
the agency to utilize.
Mr. Mica. Now, tell me again where the SSI office falls,
under what jurisdiction was it set?
Ms. Lontz. So it originally was with the Office of
Intelligence. It is now under the Office of Law Enforcement
Federal Air Marshal Service.
Mr. Mica. And why does it fall under that particular one?
It seems like Intelligence would be the logical one. Why was it
removed and what is the advantage to have it under law
Enforcement?
Ms. Lontz. So we felt that it more closely aligned to the
duties and responsibilities of the chief security officer, and
the chief security officer is part of the Office of Law
Enforcement.
Mr. Mica. And how many FOIA requests does TSA receive in a
year, do you have any idea, for instance, 2013 FOIA requests?
Ms. Lontz. I can tell you to date we have received 72
requests, just under about 10,000 pages to review this year.
Mr. Mica. Just this year.
Ms. Lontz. Correct.
Mr. Mica. But you don't have a figure for a number received
in 2013?
Ms. Lontz. I don't.
Mr. Mica. Maybe you could provide that to the committee.
Ms. Lontz. Certainly.
Mr. Mica. What percentage of FOIA requests to TSA are
denied or redacted due to the targeted information carrying the
SSI designation, do you have any idea?
Ms. Lontz. I don't have an idea on that. We review all FOIA
request material that is sent to our office. Each review is
done the same as it would be for any other request that would
come through SSI, and it is all memorialized in a memorandum of
what was reviewed and what the findings were, and then it is
returned back to the FOIA office.
Mr. Mica. Has the TSA implemented proper protocols to
ensure that the TSA administrator is documenting support for
releasing SSI prior to releasing the information?
Ms. Lontz. So there is a process for revocation as well,
and it must be in writing, and it should be in the interest of
security, of course.
Mr. Mica. Do you know if there is compliance now? I mean,
it was pretty spotty. The reports were spotty as to compliance
with that requirement, again, prior to releasing the
information. Do you know where we are on that now? In almost
every instance is that complied with?
Ms. Lontz. Yes, sir. So Mr. Pistole is our administrator
and he is the designated authority on the release, so anything
that would be released would go through his office.
Mr. Mica. Well, it sounds like TSA has cleaned up some of
the problems.
Ms. McDermott, you have been observing this. Is that your
observation or assessment?
Ms. McDermott. We have been really looking more at the CUI
process and the rollout of the rule relating to the Executive
Order, how it is being implemented. I have colleagues who work
more at agency level, so I really can't speak to that.
Mr. Mica. Okay. You have not had any specific observation
or have you found improvement in that regard, Mr. Fitzpatrick,
from TSA?
Mr. Fitzpatrick. So our office does not look at or have
authority to look at the specific transactional actions of
release or withholding under the FOIA or any other statute.
What we look at is management approach to an authorized
category, which SSI is, and how is it managed within the
organization and are its procedures for safeguarding
dissemination, control, and marking, how are they promulgated
and will they be consistent with the forthcoming rule. So the
retention of information under a separate authorization is not
within our oversight purview but, rather, the administration of
the security program.
Mr. Mica. Well, I asked Ms. McDermott before about the
prevalence of the pseudo-classifications in other agencies.
Would you like to comment on that?
Mr. Fitzpatrick. Yes, I would, because I think we have both
described the scope of the Executive Order. When it shifted
from the Bush Administration's focus on homeland security and
counterterrorism information to any type of information for
which control is authorized under law government-wide policy or
government-wide regulation. That is a vast amount of
information, and while it does provide the opportunity to
define the universe of CUI and to identify that which is not
authorized for withholding or retention, so that is a primary
division of the universe of unclassified information into two
halves.
The half that is authorized is substantial. As I mentioned
in my testimony, there are 22 categories, 85 subcategories, so
we have organized information in a plain English sort of way to
describe categories and subcategories, but there are 314 unique
citations in law, government-wide policy, or Federal regulation
that authorize control of unclassified information. Four of
those apply to the SSI category; many of those categories and
subcategories have multiple citations in law and regulation.
So what we have discovered in the time that it takes to
sort of understand the scope of the Executive Order and to
build this registry is that the Legislative and Executive
Branch, in almost equal measure, have authorized agencies to
assert control over information types of a very broad range.
One hundred fifty-seven of those controls are in statute, 129
in Federal regulation, and 28 in government-wide policy of the
type of an OMB circular, something that would have come out of
the Executive Office of the President.
So that is a lot of information, a lot of agencies that are
authorized to withhold this information. So our program is
created to identify which those are so that you can know which
information types aren't, and then to establish handling and
marking procedures of a uniform nature rather than I think the
ranking member indicated the 100-plus marking types and bins
that information had been put on and labeled, to have a uniform
control marking.
I am sympathetic to the amount of time that this is taking.
When you understand the scope of this and how many agencies
have this type of information, to try to understand all of
their practices today in order to create a uniform baseline
that all will observe, it is a very time-consuming effort.
Mr. Mica. Well, unfortunately, today we are just talking
about unclassified information, and, you know, this is an
important issue because Government information and the
management of it can be manipulated and agencies use it to
cover their own tracks, to keep information from Congress and
from the American people, and that is just in an unclassified
category, and then trying to set the parameters for that. Then
you have so many agencies that have participated and then
trying to make certain there is some objective evaluation of
what they are using these classifications for and denying
Congress or the public or information getting out.
The classified is a whole different one with TSA. I would
like to see, at some time, information on the failure of
performance of TSA. Most of that has been kept in a classified
realm, declassified on a periodic basis, so I think the public
deserves to know the performance of some of the people who are
supposed to provide important transportation security. That has
been kept under wraps or some things have been put under
classified wraps to keep their performance secret, and there
are definite reasons to do that.
I know in the past some classified information has been
released and I have flipped out a couple of times when I saw it
in the paper and actually asked agencies to go after folks who
had released the information, because it can be very harmful.
But, by the same token, there is some other information, I
think, that the public should know that deals with the
performance of agencies.
Now we have, it is not classified, but we are seeing the
secret lists of the VA and people trying to cover up again
their poor performance, and that was outrageous by any
standard.
Well, it is an interesting subject. Difficult to get a
total handle on, but we are trying to make some sense out of it
in a bipartisan fashion. Part of the report goes back, I
noticed, some time and predates current practices, but this is
a meat and potatoes hearing where we have been, where we are,
and where we are going. So I thank you all.
Let me yield to Mr. Connolly for questions.
Mr. Connolly. Thank you, Mr. Chairman. Actually, to me, it
is kind of a thought-provoking panel and discussion, but to
your very last point, so here we are looking at the operations
of government, can we improve them and make them better and
more efficient, better serve our public. There is not a single
member of the press at the press table, not one.
Mr. Mica. Nobody is interested.
Mr. Connolly. And in the system of reward and punishment,
there is not a lot of reward for what we are doing today, Mr.
Chairman, but virtue is its own reward, I guess, right?
But thank you for being here, because it is actually kind
of an important topic.
The chairman talked a little bit about the misuse of types
of information for various and sundry purposes, either hiding
it from the public and/or Congress or deliberately getting it
out there when you shouldn't.
Ms. Lontz, we issued a committee staff report today that
found TSA for years had issues with consistently implementing
its policies for designating and undesignating information as
sensitive security information. The committee heard from a
former director of TSA's SSI Office, Andrew Colsky, that TSA's
Office of Public Affairs released information strategically in
what he described as security theater. He said, ``If they felt
they needed to do something to get it in the press to change
the public perception, that was more important than the
security concerns involved.''
That same director said that the release of SSI by the
Office of Public Affairs decreased when the personnel changed
in 2009 with the new administration.
What is the current relationship between the SSI Office and
the Office of Public Affairs, and how disputes regarding SSI,
how are they resolved?
Ms. Lontz. Certainly. So the relationship really of the SSI
Office to really any of the other directorates, we operate
autonomously. We receive in information that needs review and
we do that and review in accordance with all of the
requirements and then return it. We do not engage regularly
with any of those offices other than to be the recipient and
provide our service and provide it back. So there isn't any
direct back and forth between the Office of Public Affairs and
our SSI Office other than the service that we provide.
Mr. Connolly. Well, but what are the systems in place for
ensuring, the chairman cited it, that someone misuses
information for entirely a PR purpose? It did happen at your
agency before your time. What are the mechanisms in place to
ensure that there is an understanding, to pick an office,
between the Public Affairs Office and the SSI Office that the
misuse of such information for perhaps a noble reason, but
nonetheless the misuse of information is protected, that that
practice is controlled?
Ms. Lontz. So we did some significant training with the
various offices after 2010, or actually after 2012. We did
specific training in offices like the Office of Chief Counsel,
Office of Public Affairs to provide them with in-depth
understanding of what SSI is and is not. So they have received
more than just the annual training that all TSA employees
receive so that they have a greater knowledge of what we would
consider SSI and how to handle it properly.
Mr. Connolly. Mr. Fitzpatrick, you honed in on my reference
to the fact that we have 100 different standards, apparently,
maybe more. Ms. McDermott, I welcome your comment as well. When
one looks at a statistic like that, I often ask the question,
rhetorically, What could go wrong with that? If the public were
watching this hearing, I think they would get a headache from
all the acronyms and maybe lose sight, easy to lose sight of,
well, what is the context here? What is it we really are
concerned about?
We are not just concerned about juridical processes. We are
concerned about preserving that which must be preserved,
concerned about proper information sharing and encouraging
that, instead of people hoarding information that should be
shared, and trying to have a streamlined system so that rules
of engagement are clear-cut and everybody adheres to them. How
are we doing on that? I mean, how much progress since the
Executive Order, and to what extent has the Executive Order
encouraged such progress, are we getting to have a more uniform
standard across the Federal family?
Mr. Fitzpatrick. So thank you, because that is the
wheelhouse of building a CUI program, is to address those very
things. Let me put some of these numbers into context.
That number, 117 different markings, actually comes from an
appendix of the report that Patrice mentioned that the attorney
general and the secretary of Homeland Security provided
President Obama in the year before the Executive Order was
issued, and they took an inventory. How many different ways are
we marking things? How confused is this? You quoted one of my
office's reports, a Confused Inefficient Patchwork.
So what is in play or what the practices were allowing
1,000 flowers to bloom? An agency could and did make up its own
rules and there was no canopy type of guidance that said it had
to follow some stricture or some consistency across government.
So you had people marking any kind of information with a
special marking. Maybe it was just sensitive, do not
disseminate; limited distribution; source selection
information; help related information. Some of these are
instructions and some of these are categories of information.
So what the Obama Order does is it says, okay, the only
ones that are authorized for some type of control are the ones
where a deliberative process, a statute, regulation, or
government-wide policy, has already provided that authority;
everything else is not permitted to have some control. So it
said, executive agent, find out what that universe of
information is, put a registry together and put it out on the
internet so everybody can understand what have we done through
statute and regulation to provide these authorities, and then
work with agencies to come up with practices that will be
uniform, one set of markings, one set of handling requirements.
We are in touch with 150-plus government entities to try to
find out what kind of information do they have, what kind of
resources do they have, what kind of practices do they have.
There is a lot in common; put it in a locked drawer. Some of
this guidance the lock has to be this kind of lock, the drawer
has to be this kind of drawer; wrap it in one envelope, two
envelopes, three envelopes. Again, 1,000 flowers blooming. So
we are creating a single baseline and these are represented in
the draft rule that we have mentioned, finally getting enough
interagency agreement to say that would work for us to put it
into practice and for agencies to implement.
The category types that remain are information types that
you would expect every agency to handle: privacy, financial.
Agencies that handle taxpayer information, there is a specific
regime for protecting taxpayer information. SSI is an example.
Another good example that exists only in a particular space in
government activity is unclassified controlled nuclear
information. So Energy, Defense, Transportation, they handle
nuclear materials; that is special stuff. So we have catalogued
across the whole of Government agency practice and our attorney
and other resources have put that together in this registry
that says 314 unique citations, 157 laws that say the secretary
may withhold or must control or may disseminate.
Mr. Connolly. That you have to take into account.
Mr. Fitzpatrick. Right. So we are trying to wrap an
umbrella over this vast authorized practice.
Now, identifying the authorized practice allows you to
identify the unauthorized and discontinue the unauthorized, and
that is naturally where Patrice and her Coalition's interest
lies, with the ability to regulate the authorized practice
across global organizations with however many Federal employees
have to be trained. It is a daunting effort, and it can't start
until the flag is waived. The flag gets waived when the rule is
final. So we are in the process right now with the rule out for
agency comment; it will then go out through public review and
comment and keep going.
Mr. Connolly. But let me follow up on something the
chairman--and I am going to call on you, Ms. McDermott. I just
want to stay with this, but I will ask you to comment as well,
if the chairman will allow.
Mr. Mica. Go right ahead.
Mr. Connolly. Thank you, Mr. Chairman.
I want to follow up on something the chairman made a point
of, though; and he and I share this characteristic. In politics
and public policy, sometimes patience is a real virtue.
Sometimes it is not; sometimes impatience is a virtue because
it gets things done and moving. And sometime it strikes the
chairman, and me as well, that we move at a glacial pace in the
Federal Government, when we need to be moving with more
alacrity.
You make a very good point; this is a daunting, big
challenge. It may not seem it. It sounds simple. Let's have
some simple rules of engagement we all adhere to and move on so
that Ms. McDermott can get the information she needs. Well, not
so fast; not so simple; there are all kinds of intruding laws
and regulations; there are 100-plus different practices we have
to kind of rein in and look at. But the chairman pointed out
the Executive Order, however well intentioned, was four years
ago. Here we are four years later and we are at the draft rule
stage.
So what was the time line for implementing this and how are
we doing in trying to meet those metrics?
Mr. Fitzpatrick. Certainly. The Executive Order laid out a
few deadlines for agency consideration and then the deadlines,
I will say, stopped. The first year essentially was to define
the universe of information that is CUI. So agencies were given
six months to make submissions. What are the categories that
you feel meet this threshold of having a basis in law,
government-wide policy, or regulation, and how would you
describe them and how can we put them together in a registry?
Agencies produced 2,200 submissions. So if you get an idea of
what agencies feel their authority ought to be, and that came
from, I will say, not the 150 agencies we deal with now, but
some dozens of them submitted 2,200 individual 3x5 cards saying
I can control this, I can control this, I can control this.
Mr. Connolly. Can I interject, if I may?
Mr. Fitzpatrick. Yes.
Mr. Connolly. Just an ironic observation, Mr. Chairman. The
press may not think this is all that interesting, but clearly
Federal officials did, because it affects how they operate.
Mr. Fitzpatrick. Absolutely. And it affects a level of
latitude they felt they had to do as they pleased, or wished,
or felt was most effective for them.
Mr. Connolly. Right.
Mr. Fitzpatrick. And, instead, this umbrella of constraint
was, I will say, beginning to be spread.
So 2,200 submissions, many of them the same types;
personnel information, privacy information, budget information.
But many of them simply my agency directive says I can do this,
so they submitted it. Well, that is below the threshold. That
did not make it into the registry. So the production of the
registry, putting the registry out on the rolls.
We then began an inventory of practices to say what do you
do with this information today and how do you safeguard it? How
do you provide information systems security for it? How does
dissemination control work? How far and wide are complex are
your agency directives and instructions so we know how much is
going to have to be torn down and rebuilt?
We took a shot at, as Patrice mentioned, a draft rule
through our interagency council that basically the interagency
choked on. We put all of the principles of CUI and sort of in
the nature that we have been discussing them today and all of
the how-to's of the CUI in the same document. That was, I will
just say, ineffective and did not succeed the interagency
coordination process. We had to rewrite it so that we could
separate the two.
And what is going around the agencies now is this set of
principles in the rule which point to practices and authorities
that the CUI Council, under the executive agent's coordination,
will issue. So you have a draft rule, and the draft
supplemental guidance says here is what marking and
dissemination mean; here is what the constraints are on
agencies; and then over in a separate document here is how to
do it.
Mr. Connolly. Thank you.
Mr. Fitzpatrick, my time is up. The chairman has graciously
agreed to allow Ms. McDermott to also comment because I don't
want to impose on my colleagues, and I see the distinguished
chairman is here as well.
Thank you, Mr. Chairman.
Ms. McDermott. So, yes, we are aware of and support all of
the work that they have been doing. We do feel, though, that
there has been some, the chairman called it slow-rolling. I
might call it, because of its loss of control by the agencies,
it is foot dragging, it is throwing some sand. But, again, that
is from an entirely outside perspective.
I do want to go back to two points that you made, though.
This was about the need to protect information and also to
share it. And one of the things that we have been very
concerned about all along is that where it is appropriate and
where the statute or the regulation allows it, that there be
put time limits on these markings so that they don't continue
to be used passed when they are authorized to be used. And that
is a whole big issue of how you unmark something that has been
marked.
The other thing that we are very, very concerned about is
that, in terms of the sharing, both sharing and protecting,
that these markings, it needs to be clear, they need to be
clearly marked, any documents, so that somebody who shares a
document with the public, certainly shares it with Congress,
shares it with the Judicial Branch, although those are already
covered under the Executive Order.
If it is not marked, they cannot be held accountable for
inappropriately sharing information. This is like, you know,
something that was part of the Intelligence Authorization Act
that President Clinton vetoed back toward the end of his thing
that said any document that is classifiable, you can be held
criminally liable for releasing. Well, no, you can't, because
that could be anything. So that is a very big concern of ours,
to protect whistleblowers, but also to allow useful sharing
throughout the Government of information as it needs to be
protected and of information that doesn't need this kind of
protection.
Mr. Mica. Thank you.
Let me yield now to the chair of the full committee, Mr.
Issa, who has joined us. Mr. Issa.
Mr. Issa. Thank you, and thank you for being here.
The fact is this is probably the one nearest and dearest to
my heart of all the hearings. You might wonder why. Well, the
CUI Council, how do I know it is not a CYA council? I am
serious, Mr. Fitzpatrick. I am the beneficiary of 20 months of
having subpoenaed documents that are unclassified held and not
delivered to this committee, even though they were subject to
subpoena, because they were unclassified but embarrassing. In
those 2,200 different classifications, did you see that
classification, unclassified but embarrassing?
Ms. Lontz, is that one that you plan on using?
Ms. Lontz. No, sir.
Mr. Issa. You use it every day. Transportation Safety uses
it all the time. We subpoena documents and, Ms. McDermott, I
know you are on our side, but, quite frankly, when you say it
is already covered, no, it isn't. This Administration
systematically does not reply honestly and fully with even
subpoenas of the various committees. That is just a fact. It is
a reality. One of the things that we have seen is that the best
way to get evidence, unclassified evidence is we depose
somebody, and on the evening before we are going to depose
them, we get a ration of documents that are somehow responsive
to it.
The fact is this is near and dear to my heart because I
don't think you should have a right to any of them. I think the
whole idea that there is anything below secret is hogwash. I
think the idea that other than personally identifiable
information, meaning information is sensitive because it
doesn't truly belong to the Government to release, such as your
email address, even if it is a Government one, being released
to the entire public; your birthday; personal information about
your home. We can all agree that that information is not
secret, but, by definition, shouldn't be released. Do we agree
with that?
Is there really any other area that people get to see
without a background check, people get to handle without
knowing whether they are pedophiles, whether they are drunks,
whether they are going through personal traumas in their lives,
etcetera, etcetera? In other words, we have no security on them
other than they are a Federal employee or a Federal contractor.
They get to see all this information and then, when Congress
subpoenas it, we don't even get it. Is there anyone that is
going to justify those 2,200 categories here today? I would
love to hear it. Ms. Lontz?
I mean, I am thrilled to hear that there are 2,200 requests
for unclassified information to be withheld. Of that 2,200, I
will take out of it as many as you say include personal
identifiable information. Give me another one.
Mr. Fitzpatrick. If I may clarify that number.
Mr. Issa. Please.
Mr. Fitzpatrick. And understand that you entered midstream.
Twenty-two hundred was the number of individual submissions
that came in from agencies where they thought they had some
authority.
Mr. Issa. A lot of redundancy.
Mr. Fitzpatrick. There is a lot of redundancy and a lot of
it did not meet the threshold established in the Executive
Order that authority can only be established if it has been
granted by law through the Federal regulations or through
government-wide policy. Those numbers, there are 2,200 high
level categories, 85 subcategories based on 314 individual
citations of either law, regulation, or policy.
So while I do not dispute the characterization of agencies'
desire to withhold information to their advantage, what is
authorized under the CUI program is only information in these
categories, these narrow 2,200 and 85 subcategories, can be
safeguarded or dissemination control. Their disclosure through
other processes, or the eventual decontrol, are matters of
discretion.
Mr. Issa. We fully understand that, but understand that the
President signed the Data Act just a few days ago. That Act
intends on making across Government the vast majority of
information that exists in our databases searchable,
addressable, downloadable, which would include a system in
which, because of the strength of the metadata, you would be
able to exclude personally identifiable information.
But essentially, and we are not talking about emails for a
moment; we will leave those aside, the intent of it would be to
open up all of Government, to make you able to say that a
particular data point is not to be released, such as personally
identifiable information, locations or times, certain things
like that, predictive information about events that have not
yet occurred.
If we are going to open that up, we can't have these levels
of classification because it will essentially close
systematically all these databases, won't it?
Ms. McDermott, you really don't care about hunks of paper
being delivered anymore; you really care about the data wealth
being mined in order to get real information, don't you? Isn't
that really the modern America?
Ms. McDermott. That is part of modern America. But we
actually are still very concerned about the paper getting
delivered to nonprofit organizations that make it available to
journalists, to that sort of thing.
Mr. Issa. Let me explain one thing to you that I have
learned the hard way in five years in the, if you will,
leadership of this committee. Until today, if I subpoena the
EPA for emails, they send out to the people they think may have
responsive information asking them to voluntarily look through
and see if they have something that we would be interested in,
and then they get to submit it.
That is a systematic system of exclusion of at least
unclassified but embarrassing information. Only through direct
access are you ever going to get what you want versus getting
the paper they want to give you and then searching through it
saying, if this exists, where is this other piece, and then
having to--how many times do you reapply again and again
because a tranche of information tells you that they are not
giving you it all?
Ms. McDermott. I would love, if I may, respond just on the
email part of it.
Mr. Issa. Please.
Ms. McDermott. Regrettably, that experience about asking
people to search their hard drives is because until very
recently, because of regulations that were promulgated by NARA
back in the 1990s, agencies were not required to organize their
email. They were not required to treat it as records of
offices; they could treat it all the same. And what has
happened over time is that it is on people's hard drives; it
has not been centrally collected.
It is unfortunately true that that agencies don't know how
much email they have that is responsive. And it is not just
Congress that gets this response; it is our colleagues in the
nonprofit world who ask agencies for responsive email and they
say we will look, but it is going to take a long time.
Mr. Issa. Yes, we were told by the IRS commissioner just
the other day that it could take two years to respond to our
questions, far longer than the IRS gives you in an audit to
respond to theirs.
Let me just close quickly with a question. If we are going
to have classifications below secret, and this committee, among
its jurisdictions, controls basically the question of people
holding clearances, how many categories of cleared people are
we going to have to decide what level of background
investigation, what level of denial?
If somebody is going to look at unclassified information
that has some pseudo-classification level that keeps the public
from seeing it, do I need to know whether they are currently on
probation, whether they have DUIs, whether or not they are
convicted pedophiles? And if so, how do I come up with all
those classifications? How many will I need, Mr. Fitzpatrick?
Cleared information, cleared people, right?
Mr. Fitzpatrick. It actually requires no specific personal
security vetting for access to controlled unclassification
information.
Mr. Issa. So, in summation, what you are telling me is
below secret we can deny the public, through a maze of
different processes, access to information, while allowing
people who happen to work for the Government, either as
contractors or as Federal employees, to have unfettered access,
even if they have things which would make us question that
access, right?
Mr. Fitzpatrick. Well, no. The standard is only for that
information which requires a safeguard or dissemination control
and is accompanied by a lawful Government purpose, regardless
of your status, in Government or outside of Government.
Mr. Issa. So tax cheats at the IRS get access to my tax
information, while even if I have been persecuted directly by
the IRS, I can't get that. I understand what you are saying. I
question in this hearing whether or not you are going down a
road of any sensibility.
If you can't tell me who should be excluded within
Government from seeing information, if you can't tell me what
level we should put as a requirement for people to be cleared
for that information below secret, because we have rules for
secret and top secret, then I question whether or not you can
create any category other than personal identifiable
information is on a need to know basis, and other than personal
identifiable information I question whether or not you really
can do the process that you are asking.
And I think Mr. Connolly said it very well during his 10
minutes, which I have equaled nearly. The fact is we have
waited too long, and it has been four years since an Executive
Order, and this committee has a responsibility to ultimately
say you are not getting it done; we may need to preempt you.
And rulemaking is not lawmaking, it just looks like it.
Mr. Chairman, rulemaking is not lawmaking; it just looks
like it. I am going to close on that. Thank you.
Mr. Mica. Thank you. I liked your CYA versus CUI
description. Very appropriate sometimes.
Waiting most patiently, one of our outstanding junior
members, Mr. Meadows. You are recognized.
Mr. Meadows. The chairman here says I have a lot of gray
hair for a junior member, but thank you for your testimony.
Mr. Fitzpatrick, let me pick up, because as we start to
hear 2,200, we start to hear regulations. Everybody is going to
want to have a piece of that turf. And I guess my concern is if
we are going about this new classification, how many rules and
regulations are we going to eliminate? I mean, out of the 170,
I think your testimony, how many of those rules and
regulations? Are we going to be able to eliminate half of
those?
Mr. Fitzpatrick. So we will go to a single marking system.
So in the 117, the list of labels that were previously used,
they varied across whether it said sensitive protect, restrict;
all sorts of unauthorized types of markings. We propose a
marking system that simply says controlled.
Mr. Meadows. Based on what criteria?
Mr. Fitzpatrick. Based on its presence in the registry,
which means there is either a law that says the secretary is
authorized to protect that or there is a Federal regulation
that says this information may be controlled.
Mr. Meadows. But according to your testimony, you said it
should be based on statutory exemptions in FOIA or other
applicable laws, policies, and regulations. Now, the concern I
have with policies is any agency can make up any policy, and it
undermines the whole effort of what you are trying to do.
Mr. Fitzpatrick. So that portion of my testimony, and I
acknowledge that those words are there, applies to instruction
to agencies not to confuse, not to utilize the fact that
something is marked CUI as somehow disposing a decision to
withhold information under FOIA. The Executive Order and our
guidance say clearly FOIA and other applicable laws that govern
disclosure are what will govern your decision. Simply because
it is marked controlled SSI doesn't then predispose, okay, then
I can withhold it under FOIA. Our instructions and the
Executive Order say it might be marked CUI so that you know it
needs to be in a desk draw, it needs to have a cover sheet, it
needs to be given to someone with a lawful government purpose.
But if a FOIA request comes in on that, then the FOIA rules
apply.
Mr. Meadows. All right, so on a scale of 1 to 10, with 10
being the most confident, how confident are you that what you
are about to put in place will get rid of the politics, the
CYA, the political aspect of trying to keep documents from
Congress and from the American people? Scale of 1 to 10, how
confident?
Mr. Fitzpatrick. The CUI program, I am going to say, sits
next to, but not a part of, the disclosure regime. So however
confident, however much or little confidence you have in that
disclosure regime----
Mr. Meadows. Well, it hasn't been working too well so far,
so, going forward, how confident are you?
Mr. Fitzpatrick. So I am confident you will have the basis
to explain, and those seeking information will have the basis
to contest, the presence or absence of authorized by law or
regulation, an authorized withholding basis or not. So an
example----
Mr. Meadows. That is a great answer to a question I didn't
ask, but from politics, and getting politics and complete
transparency, on a scale of 1 to 10, how confident are you?
Mr. Fitzpatrick. I am an optimist. I will give you a 6.5.
Mr. Meadows. Okay.
Mr. Fitzpatrick. It will be better. It won't be everything.
Mr. Meadows. All right.
So, Ms. Lontz, let me go to you, because you talked about
training earlier. On the training aspect of it, you mentioned
that they have been given this handbook that talks about
seventy some odd pages that is very specific. How confident are
you that we are covering all the issues in terms of the
thoroughness of the training and that the new model is going to
be followed?
Ms. Lontz. So in TSA, I can say that I am very confident
that the new measures we have put in place have significantly
improved the way we handle SSI. It is much more consistent;
there is a memorialization of any and all SSI reviews that are
done. It is comprehensive in the training; we can customize it,
as I explained earlier, depending on various programs so they
get a more in-depth understanding of what SSI is and is not. So
I am very confident that the new measures----
Mr. Meadows. So how are you reinforcing that? I mean, going
forward, because if it is in a handbook, I don't know about
everybody here, but most of the handbooks I have gotten over my
54 years, I haven't read them, or at least I haven't read all
of them. And we may have somebody here that does that, and I
know my good friend and colleague from Virginia is astonished
at that revelation.
Mr. Connolly. I have read every handbook ever.
Mr. Meadows. No doubt. No doubt.
So how do we reinforce it? Do you make it part of their
evaluation? If they get a bonus, is it part of that in terms of
saying that you have been following this? How do we reinforce
it? I see one of your staffers shaking his head yes behind you.
Ms. Lontz. I think our senior leadership does a very good
job of ensuring that SSI, the importance of SSI, the job that
the TSA does impacts aviation and transportation security. We
do have to be very concerned with protecting SSI information.
We also ensure that it is not just a once a year, there is an
online training course you need to take. We have SSI Awareness
Week at TSA where there are a sundry activities and things that
remind our personnel of the importance of SSI. So it isn't just
a handbook that goes on the shelf and we say, hey, we have
this. We really do impress upon our personnel the importance.
Mr. Meadows. Well, I am going to close with this
encouragement in terms of any help that you might be able to
give this committee. Ultimately we have two objectives. One is
to get the politics out of it, to speed up the process and
become transparent with the American people. And if you see
areas that need to be addressed, it is incumbent upon you to
get that to this committee, because in a bipartisan way we will
work to not only put forth legislation to clear it up, but to
make sure that the American people get it, because right now
the request even from a member of Congress gets thwarted at so
many different levels based on so many different regulations,
policies, and I don't knows that it is unacceptable. So we look
forward to your recommendations.
I yield back, Mr. Chairman. Thank you.
Mr. Mica. Well, thank you, Mr. Meadows. Thank you, Ranking
Member Connolly.
And I want to thank our three witnesses, Ms. Lontz, Mr.
Fitzpatrick, and Ms. McDermott, for your testimony. We have
additional questions and we will probably be submitting some to
the witnesses today.
Mr. Connolly moves that we keep the record open for seven
additional days. Without objection, so ordered.
Again I thank you. We have raised some very interesting
points, trying to work together to improve this process and the
question of classification and various categories, making
certain that Government information is made available both to
the public and the Congress in a responsible fashion. Some
enlightening information. It looks like we still have a ways to
go and keeping this moving forward in a positive fashion as
intended.
There being no further business today before the Government
Operations Subcommittee, the hearing is adjourned. Thank you.
[Whereupon, at 11:40 a.m., the subcommittee was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHIC] [TIFF OMITTED]
�